git: Added Windows code signing

2026-03-27 23:37:05 -05:00 · 2025-09-02 18:24:48 +02:00
parent 83650c908d
commit 691ff11fbc
3 changed files with 100 additions and 0 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -166,6 +166,7 @@ jobs:

    - name: ⬆️ Upload Windows Installer
      uses: actions/upload-artifact@v4
+      id: upload-installer
      with:
        if-no-files-found: error
        name: Windows Installer ${{ matrix.architecture_name }}
@@ -199,6 +200,27 @@ jobs:
        path: |
          build/install/*

+    - name: 🗝️ Test-Sign Installer
+      uses: signpath/github-action-submit-signing-request@v1
+      with:
+        api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+        organization-id: 'f605a0e8-86cd-411c-bb6f-e05025afcc33'
+        project-slug: 'ImHex'
+        signing-policy-slug: 'test-signing'
+        github-artifact-id: '${{ steps.upload-installer.outputs.artifact-id }}'
+        wait-for-completion: true
+        output-artifact-directory: './signed'
+        parameters: |
+          version: ${{ env.IMHEX_VERSION }}-${ matrix.architecture_name }-${{ github.sha }}-${{ github.run_number }}
+
+    - name: ⬆️ Upload NoGPU Portable ZIP
+      uses: actions/upload-artifact@v4
+      with:
+        if-no-files-found: error
+        name: Windows Installer ${{ matrix.architecture_name }} (Signed)
+        path: |
+          signed/*
+
  win_msvc:
    strategy:
      fail-fast: false
--- a/.github/workflows/nightly_release.yml
+++ b/.github/workflows/nightly_release.yml
@@ -82,6 +82,45 @@ jobs:
          git fetch --tags --recurse-submodules=no
          git log nightly..origin/master --oneline --no-merges --pretty=format:'* %s' >> changelog.md

+      - name: ⬆️ Upload Unsigned x86_64 Windows Installer
+        if: false
+        uses: actions/upload-artifact@v4
+        id: upload-installer-x86_64
+        with:
+          if-no-files-found: error
+          name: Windows Installer ${{ matrix.architecture_name }}
+          path: |
+            imhex-*-x86_64.msi
+
+      - name: ⬆️ Upload Unsigned ARM64 Windows Installer
+        if: false
+        uses: actions/upload-artifact@v4
+        id: upload-installer-arm64
+        with:
+          if-no-files-found: error
+          name: Windows Installer ${{ matrix.architecture_name }}
+          path: |
+            imhex-*-arm64.msi
+
+      - name: 🗑️ Delete unsigned installers
+        if: false
+        run: |
+          rm imhex-*.msi
+
+      - name: 🗝️ Sign Installer
+        if: false
+        uses: signpath/github-action-submit-signing-request@v1
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: 'f605a0e8-86cd-411c-bb6f-e05025afcc33'
+          project-slug: 'ImHex'
+          signing-policy-slug: 'release-signing'
+          github-artifact-id: '${{ steps.upload-installer.outputs.artifact-id }}'
+          wait-for-completion: true
+          output-artifact-directory: '.'
+          parameters: |
+            version: ${{ env.IMHEX_VERSION }}-${ matrix.architecture_name }-${{ github.sha }}-${{ github.run_number }}
+
      - name: 📦 Update Pre-Release
        if: ${{ steps.check_commits.outputs.should_run == 'true' }}
        run: |
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -121,6 +121,45 @@ jobs:
          mv "ImHex Web.zip" imhex-${{ env.IMHEX_VERSION }}-Web.zip
          rm artifact.tar || true

+      - name: ⬆️ Upload Unsigned x86_64 Windows Installer
+        if: false
+        uses: actions/upload-artifact@v4
+        id: upload-installer-x86_64
+        with:
+          if-no-files-found: error
+          name: Windows Installer ${{ matrix.architecture_name }}
+          path: |
+            imhex-*-x86_64.msi
+
+      - name: ⬆️ Upload Unsigned ARM64 Windows Installer
+        if: false
+        uses: actions/upload-artifact@v4
+        id: upload-installer-arm64
+        with:
+          if-no-files-found: error
+          name: Windows Installer ${{ matrix.architecture_name }}
+          path: |
+            imhex-*-arm64.msi
+
+      - name: 🗑️ Delete unsigned installers
+        if: false
+        run: |
+          rm imhex-*.msi
+
+      - name: 🗝️ Sign Installer
+        if: false
+        uses: signpath/github-action-submit-signing-request@v1
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: 'f605a0e8-86cd-411c-bb6f-e05025afcc33'
+          project-slug: 'ImHex'
+          signing-policy-slug: 'release-signing'
+          github-artifact-id: '${{ steps.upload-installer.outputs.artifact-id }}'
+          wait-for-completion: true
+          output-artifact-directory: '.'
+          parameters: |
+            version: ${{ env.IMHEX_VERSION }}-${ matrix.architecture_name }
+
      - name: ⬆️ Upload everything to release
        uses: softprops/action-gh-release@4634c16e79c963813287e889244c50009e7f0981
        with: